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Objectives 

Our  main  goal  was  to  detect  and  describe  deterministic  aspects  of  traffic  behavior  in  data 
networks,  in  order  to  provide  a  basis  for  better  detection  of  anomalous  network  activity.  We 
also  sought  to  characterize  the  robustness  of  complex  data  networks  to  (possibly  malicious) 
perturbations,  in  order  to  help  engineer  against  disruptions. 


Methods /Findings 

We  developed  and  published  [2,3]  a  method  for  estimating,  from  packet  data  collected  at  a 
single  point  in  a  real  network,  quantities  such  as  the  current  round  trip  time  and  TCP  conges¬ 
tion  window  for  individual  sender-receiver  pairs.  We  found  that  we  can  use  our  measurements 
to  predict  the  timing  of  packet  drops;  for  example,  predictions  based  on  our  estimates  of 
round  trip  time  are  significantly  better  than  predictions  based  only  on  the  statistics  of  inter¬ 
drop  times.  In  conjunction  with  our  models,  discussed  below,  this  work  enables  short-term 
prediction  of  events  like  congestion  in  a  particular  part  of  the  network. 

Precise  modeling  of  packet-level  network  dynamics  requires  several  variables  to  track 
even  a  single  TCP  flow  through  a  router.  We  found  that  we  can  capture  the  dynamics  of  the 
model  reasonably  well  using  a  single  variable  for  each  flow,  the  size  of  its  congestion  window. 
In  particular,  the  same  dynamical  phenomena  that  occur  in  packet-level  simulations  occur 
in  our  simplified  model.  By  simplifying  the  model,  we  gained  a  better  understanding  of  why 
these  phenomena  occur,  and  we  were  able  to  scale  the  model  to  much  larger  networks. 

We  published  [1]  a  model  for  TCP  traffic  (with  RED  congestion  control)  describes  the 
dynamics  of  a  network  in  terms  of  two  main  state  variables:  the  size  of  the  congestion  window 
for  each  data  flow  between  a  given  sender-receiver  pair,  and  the  size  of  the  queue  at  each 
router.  In  addition,  it  keeps  track  of  a  filtered  (time-averaged)  queue  size  for  each  router  to 
simulate  the  RED  mechanism  for  dropping  packets,  and  has  some  timer  variables  to  track  the 
effect  of  packet  loss.  We  found  that  even  in  a  network  consisting  of  a  single  sender,  router, 
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and  receiver,  this  model  can  behave  chaotically  (unpredictable  in  the  long  run  despite  being 
deterministic)  in  response  to  a  periodic  input  to  the  router  from  a  non-TCP  source. 

We  also  published  [6]  a  study  of  bifurcations  in  our  model,  and  in  the  network  simulator 
ns,  for  small  networks.  In  this  work,  we  investigated  the  response  of  a  small  network  to 
periodic  short  packet  bursts.  Our  motivation  was  to  understand  the  possible  effects  of  a  low- 
volume  denial  of  service  attack,  where  a  host  tries  to  disrupt  a  network  with  inobtrusive  but 
well-timed  packet  bursts  rather  than  just  flooding  the  network  with  packets.  We  found  that 
as  the  period  of  the  bursts  varies  there  are  sudden  changes  in  the  network  response  between 
stable  periodic  behavior  and  chaotic  behavior,  and  that  these  bifurcations  are  qualitatively 
reproduced  by  a  one-dimensional  model  that  tracks  the  phase  of  congestion  events  relative 
to  the  periodic  bursts. 

To  study  large  networks,  we  developed  and  published  [5]  a  streamlined  model  of  TCP- 
RED  network  traffic  that  exhibits  similar  dynamics  to  our  previous  model,  but  requires  only 
keeping  track  of  a  rate  (proportional  to  the  congestion  window)  for  each  data  flow.  This 
gave  rise  to  a  piecewise  linear  model,  with  complexity  arising  from  the  variety  of  sequences 
in  which  different  routers  on  the  network  can  become  congested  and  drop  packets.  We  found 
that  regardless  of  network  size,  the  dynamics  are  stable  and  periodic  for  typical  parameter 
values.  The  model  assumes  that  the  network  traffic  is  dominated  by  bulk  flows,  in  which  a 
sender  is  transmitting  information  to  a  receiver  as  fast  as  the  TCP  protocol  allows  for  an 
extended  period  of  time.  The  parameters  are  the  round-trip  times  of  these  flows  and  the 
throughput  capacities  of  the  routers  involved,  and  the  initial  conditions  are  the  send  rates  of 
the  different  flows  at  a  particular  time.  Our  results  suggest  a  large-scale  robustness  of  TCP 
networks  to  small  perturbations,  despite  the  potential  for  local  disruptions  indicated  by  our 
lower-level  model. 

Finally,  we  investigated  [4]  routing  and  load-balancing  algorithms  for  peer-to-peer  net¬ 
works,  in  order  to  understand  and  help  detect  the  dynamics  of  file-sharing  traffic.  We  also 
examined  sets  of  network  trace  data,  in  which  much  of  the  peer-to-peer  activity  is  easy  to 
identify  due  to  the  port  numbers  used.  We  used  this  data  to  test  methods  for  classifying 
network  traffic  without  considering  port  numbers  (since  covert  peer-to-peer  activity  will  use 
ports  normally  associated  with  other  types  of  traffic).  We  found  it  most  fruitful  to  iden¬ 
tify  quantities  that  should  correlate  to  peer-to-peer  activity  based  on  our  understanding  of 
its  dynamics,  then  use  standard  algorithms  for  decision  tree  analysis  to  determine  how  to 
classify  network  traffic  according  to  these  quantities.  An  example  of  such  a  quantity  is  the 
frequency  with  which  a  particular  computer  receives  data  from  one  computer  and  then  soon 
after  initiates  a  connection  with  a  different  computer. 
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